Rapid7 Blog

Compromised Credentials Have a High ROI for Attackers

POST STATS:

SHARE

Given that detecting the use of compromised credentials is at the core of user behavior analytics', and InsightIDR's, focus, I want to explain why compromised credentials are so valuable to attackers. To effectively understand any attacker tools and techniques, we have to put them into the context of their challenges and goals the same way you would a business, or supply chain of businesses. Accordingly, I will use some common microeconomics terms to explain.

Phishing has a high expected return

While it may not be the only way to steal valid credentials, there have been various statistics published and they all show that roughly one out of every ten phishing emails will be successful. This could mean that your users open a malicious attachment, enter their corporate credentials into a phony site, or simply visit a website attempting to compromise them in some other way. This statistic is relatively broad, but you can be confident that a professional social engineer with a few days for reconnaissance can far exceed this success rate with targeted spear phishing.

Stolen passwords offer simple and inexpensive distribution

Once credentials are stolen from a user in your organization, those responsible for harvesting them have hundreds of ways to distribute them to potential buyers. Once a buyer is identified, most likely on an eBay rip-off focused on such criminal tools, the credentials can be distributed through any medium that accepts text. This means that individuals creative enough to avoid jail time and immoral enough to knowingly steal from others need only decide whether to insert the (username/password combination) text into a website, send it in an email, embed it in a PowerPoint slide deck, send over IRC, post in comments to a random article, tweet from a short-lived Twitter account, or transmit via any number of other ways. Comparatively, exploits and malware pose a much greater challenge around distribution because they run the risk of being discovered in transit and they are not the same simple text.

Compromised credentials lower the cost of production

Each phase of the attacker supply chain produces something different, but they all lead to the production of one type: monetizable information that belongs to someone else. For the attackers that are actively attempting to compromise systems in your organization, the approaches fall into two buckets:

Take control of a company asset, either manually or through malware

Use the credentials of a legitimate user to pose as someone that should have access to multiple company assets

A major reason stolen credentials have become the weapon of choice is a few of their costs. It is inexpensive to purchase credentials, it is inexpensive to try using stolen credentials, and they have a low opportunity cost. Purchasing credentials is relatively straightforward: you can either buy them in bulk from someone who harvests them and puts them up for sale online or you can hire a black hat social engineer to harvest them for you. Using stolen credentials currently has a very low likelihood of being detected or traced back to the attacker, so while the attempted use might be complex, having a single access point makes it very easy and fast to test their validity. This makes it easy to discuss opportunity cost: while it is still very possible to take control of an organization's assets with exploits, a well-patched organization with a bevy of security controls in place means that you will likely need a very expensive zero-day exploit to reach the success rate and low likelihood of detection that come with compromised credentials. The cost of production for 0-days is massive because they require a great deal of both expertise and research to develop and their guarantee of success rapidly depreciates from the second they are used.

Improved malware defenses have had a secondary economic impact on compromised credentials

Starting with antivirus, then the detection of signatures in your network traffic, and more recently with sandboxing and the latest Endpoint Detection & Response (EDR) solutions, organizations have invested heavily in identifying and blocking malware before it is delivered, when it attempts to install itself, and when it starts performing malicious operations. While we will never see a 100% success rate, modern malware defenses have been very effective at achieving one goal: making it expensive to use malware alone to attack an organization. While this cost has increased, the cost of sourcing and using stolen credentials has stayed very low because they remain in the blind spot of these evolved detection solutions. Often, mass malware opens opportunities of chance in organizations that are not investing heavily in security, but more advanced, custom-built malware variants must be leveraged for a targeted attack, and even then, it is used with precision to only compromise systems that have been accessed (with stolen credentials) and deemed susceptible. The day-to-day system reconnaissance and lateral movement can be done with widely available tools, like Windows Credential Editor, and stolen passwords or hashes to evade detection.

So, given these factors, if you are comfortable breaking international laws, stealing from other people, and working with other criminals who may be capable of even more, it is poor business management not to use compromised credentials. This is exactly why we built InsightIDR: to help diminish the return on stolen accounts by detecting their use.